Persistent/Session Cookies - Keep Me Signed In?

WLTechStaff 31 Reputation points
2020-12-10T16:34:07.99+00:00

I recently got ADFS set up on a new web app which is often used on shared computers. The app does not have a way to log out unless the cookie is deleted in the browser. In theory, it seems that if Persistent SSO is disabled, then the cookies that are set should be per-session and thus go away when the browser closes. Even more, it seems the "Keep me signed in" button should be able to control this when users sign in. However, it doesn't seem to work. When I sign in with the button unchecked OR if I sign in when Persistent SSO is disabled entirely, the cookie that is set expires on 12 December 2020 (looks like 2,000,000 seconds??), not Session. Ideally I'd want to have the "Keep me signed in" button control whether the cookie was persistent (which I believe is 90 days as long as one logs in every 14 days) or session.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,259 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,181 Reputation points Microsoft Employee
    2020-12-14T03:28:10.467+00:00

    ADFS SSO cookies are not persistent by default but If the application give you persistant cookies, and if the application doesn't have a way to destroy its own cookies, I'm afraid we are kind of stucked.

    If you are not sure why the session seems persistent (my guess is that the app has a persistance), then you can share a Fiddler trace here and we'll look into it.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.